[PATCH 3/3] mfd: rave-sp: Check received frame length before accepting next byte
From: Andrey Smirnov
Date: Mon Feb 26 2018 - 10:08:05 EST
Check received frame length _before_ accepting next byte in order to
avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE
long.
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: cphealy@xxxxxxxxx
Cc: Lucas Stach <l.stach@xxxxxxxxxxxxxx>
Cc: Lee Jones <lee.jones@xxxxxxxxxx>
Cc: Guenter Roeck <linux@xxxxxxxxxxxx>
Signed-off-by: Andrey Smirnov <andrew.smirnov@xxxxxxxxx>
---
drivers/mfd/rave-sp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
index cec1e309b31f..76fa32006a1b 100644
--- a/drivers/mfd/rave-sp.c
+++ b/drivers/mfd/rave-sp.c
@@ -548,8 +548,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
/* FALLTHROUGH */
case RAVE_SP_EXPECT_ESCAPED_DATA:
- deframer->data[deframer->length++] = byte;
-
if (deframer->length == sizeof(deframer->data)) {
dev_warn(dev, "Bad frame: Too long\n");
/*
@@ -564,6 +562,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
goto reset_framer;
}
+ deframer->data[deframer->length++] = byte;
+
/*
* We've extracted out special byte, now we
* can go back to regular data collecting
--
2.14.3